Apex Code Development You need to sign in to do that
Don't have an account?
o2b Apex page action Security issue
It seems we can't use the 'Action' method in <apex:page>. If any Action method is defined in the controller which takes an Id, then it violates 'Cross-Site Request Forgery (CSRF)' and the custom Action method doesn't support anti-CSRF token.
In suggestions, it's mentioned that to use POST method, but I am not sure how to use POST method in <apex:page> Action.
If you have any idea on this problem, please let us know.
Thanks
Bhaskar Roy
Hi,
Cross-Site Request Forgery (CSRF), can be avoided in Salesforce. Clear documentation has been given in the link below.
Please check the section under Cross-Site Request Forgery (CSRF)
http://wiki.developerforce.com/index.php/Apex_and_Visualforce_Security_Tips
I found no help in the document you suggested, only hinting that writing Action Methods exposes you to CSRF. Can I write a VF page without action methods? I think it would be a pretty useless page if I did.
From the document:
"Within the Force.com platform, we have implemented an anti-CSRF token to prevent this attack. Every page will include a random string characters as a hidden form field. Upon the next page load, the application checks the validity of this string of characters and will not execute the command unless the value matches the expected value. This feature will protect you when using all of the standard controllers and methods."
So I am protected only using standard controllers and methods! No help at all about how I can use the same prevention measures in my own code. Not very helpful really.
hi,
Was anyone able to resolve this issue? I am also facing the same problem.Please do post if anyone has any updates.
Thanks in advance.
I just got back a scanner result that say we have a CSRF issue too. I also found the documentation posted here to be pretty useless. It talks about a token in a hidden field that can be verified and seems to assume everyone knows how to do this. It does not give a link or reference to anything that demonstrates how to accomplish it in actual code. The security scan results has the same exact information, but no reference or example either. Also, can't find anything that helps me on the discussion boards or general web. Maybe I am missing something?
I would really appreciate it if someone could post an example of VF code for the hidden field (if pertinent) and example controller code that verifies it. It would help me immensely.
Thanks in advance,
Tom DJ.
have any one got any solution.....
i am also facing such kind of problem.
Thanks
Amit Singh
I have also the same problem?